diff options
author | Jerome Charaoui <jcharaoui@cmaisonneuve.qc.ca> | 2015-05-07 15:30:07 +0000 |
---|---|---|
committer | Jerome Charaoui <jcharaoui@cmaisonneuve.qc.ca> | 2015-05-07 15:30:07 +0000 |
commit | df03b0865c03b3408c969fc4e8fae53e0f28f1e4 (patch) | |
tree | 23d6821762f4b06af3809e686a722edd98af94b2 /templates/sshd_config | |
parent | b5e16ec06499e45b4efd9f7353bb31f3a972417e (diff) | |
parent | e4a9c15987372e63ace244a92619bdd2e4c5407a (diff) |
Merge branch 'enhance_hardened' into 'master'
Enhance hardened
This implements as many recommendations in https://stribika.github.io/2015/01/04/secure-secure-shell.html as possible
See merge request !10
Diffstat (limited to 'templates/sshd_config')
-rw-r--r-- | templates/sshd_config/CentOS_6.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/CentOS_7.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/Debian_jessie.erb | 7 | ||||
-rw-r--r-- | templates/sshd_config/Debian_sid.erb | 7 | ||||
-rw-r--r-- | templates/sshd_config/Debian_squeeze.erb | 2 | ||||
-rw-r--r-- | templates/sshd_config/Debian_wheezy.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/FreeBSD.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/Gentoo.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/OpenBSD.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/Ubuntu.erb | 8 | ||||
-rw-r--r-- | templates/sshd_config/Ubuntu_lucid.erb | 8 |
11 files changed, 65 insertions, 15 deletions
diff --git a/templates/sshd_config/CentOS_6.erb b/templates/sshd_config/CentOS_6.erb index 47cb077..4c1e28a 100644 --- a/templates/sshd_config/CentOS_6.erb +++ b/templates/sshd_config/CentOS_6.erb @@ -150,10 +150,16 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +<% end -%> # Example of overriding settings on a per-user basis #Match User anoncvs diff --git a/templates/sshd_config/CentOS_7.erb b/templates/sshd_config/CentOS_7.erb index 7db2277..5acef6d 100644 --- a/templates/sshd_config/CentOS_7.erb +++ b/templates/sshd_config/CentOS_7.erb @@ -164,10 +164,16 @@ AllowGroups <%= s %> #Host *.local # CheckHostIP no -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +<% end -%> # Example of overriding settings on a per-user basis #Match User anoncvs diff --git a/templates/sshd_config/Debian_jessie.erb b/templates/sshd_config/Debian_jessie.erb index 033f409..0138acf 100644 --- a/templates/sshd_config/Debian_jessie.erb +++ b/templates/sshd_config/Debian_jessie.erb @@ -111,9 +111,10 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha1 +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_sid.erb b/templates/sshd_config/Debian_sid.erb index 033f409..0138acf 100644 --- a/templates/sshd_config/Debian_sid.erb +++ b/templates/sshd_config/Debian_sid.erb @@ -111,9 +111,10 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> -Ciphers aes256-ctr -MACs hmac-sha1 +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com <% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> diff --git a/templates/sshd_config/Debian_squeeze.erb b/templates/sshd_config/Debian_squeeze.erb index 0ba323f..d42fac1 100644 --- a/templates/sshd_config/Debian_squeeze.erb +++ b/templates/sshd_config/Debian_squeeze.erb @@ -115,7 +115,7 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> diff --git a/templates/sshd_config/Debian_wheezy.erb b/templates/sshd_config/Debian_wheezy.erb index cd4bf48..961b26d 100644 --- a/templates/sshd_config/Debian_wheezy.erb +++ b/templates/sshd_config/Debian_wheezy.erb @@ -114,10 +114,16 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/FreeBSD.erb b/templates/sshd_config/FreeBSD.erb index d4cd9b5..91b5e77 100644 --- a/templates/sshd_config/FreeBSD.erb +++ b/templates/sshd_config/FreeBSD.erb @@ -152,10 +152,16 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Gentoo.erb b/templates/sshd_config/Gentoo.erb index 1cb4522..ac6ae51 100644 --- a/templates/sshd_config/Gentoo.erb +++ b/templates/sshd_config/Gentoo.erb @@ -147,10 +147,16 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/OpenBSD.erb b/templates/sshd_config/OpenBSD.erb index aa92eb6..cc1c2b9 100644 --- a/templates/sshd_config/OpenBSD.erb +++ b/templates/sshd_config/OpenBSD.erb @@ -128,10 +128,16 @@ AllowGroups <%= s %> # AllowTcpForwarding no # ForceCommand cvs server -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Ubuntu.erb b/templates/sshd_config/Ubuntu.erb index 0ba323f..29c1bf9 100644 --- a/templates/sshd_config/Ubuntu.erb +++ b/templates/sshd_config/Ubuntu.erb @@ -115,10 +115,16 @@ AllowUsers <%= s %> AllowGroups <%= s %> <%- end -%> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index cff95a7..550243f 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -118,10 +118,16 @@ AllowGroups <%= s %> PrintMotd <%= scope.lookupvar('sshd::print_motd') %> -<% if scope.lookupvar('sshd::hardened_ssl') == 'yes' -%> +<% if scope.lookupvar('sshd::hardened') == 'yes' -%> +<% if (scope.function_versioncmp([scope.lookupvar('::ssh_version'),'6.5'])) >= 0 -%> +KexAlgorithms curve25519-sha256@libssh.org +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com +<% else -%> Ciphers aes256-ctr MACs hmac-sha1 <% end -%> +<% end -%> <% unless (s=scope.lookupvar('sshd::tail_additional_options')).empty? -%> <%= s %> |